(Editor’s Note: This post originally appeared on UltimateWindowsSecurity.com)
By Randy Franklin Smith, Windows Security Subject Matter Expert
If I were to lose sleep about technology risks it would be about endpoint security. Endpoint security is probably every organization’s biggest risk area and it shows with the frequency and increasing severity of data breaches. You can trace almost every data breach over the past several years to endpoints – especially workstations.
Preventing unwanted (malicious, unauthorized, unlicensed or otherwise) code from executing on endpoints is not easy. There are a million ways to trick users, browsers and applications into executing arbitrary code. Additionally, the bad guys keep getting more sophisticated.
I don’t think it’s very far away that spending money on signature-based antivirus instead of more advanced protection will be regarded as wasteful and irresponsible. You may not want to go without traditional AV, but that doesn’t mean you have to pay for it.
Many customers already get Microsoft’s System Center Endpoint Protection (SCEP) “free” with their enterprise agreement. That saved money could be spent on advanced endpoint security technologies, such as application control, that prevent untrusted code from running – even if it’s part of a targeted attack for which no signatures have been developed.
Bit9 + Carbon Black is a sponsor here at Ultimate Windows Security and one of the companies that produces advanced endpoint security. They have recently integrated their technologies with Microsoft’s SCEP and Enhanced Mitigation Experience Toolkit (EMET). Their integration will really help organizations that use these products respond to malware infections more effectively.
For instance, let’s say SCEP detects a piece of malware and quarantines it. Is that it? Job done?
Actually it would be nice to know:
- How did the file get there?
- How long was it there?
- Where has that file been before being detected on that endpoint?
- What other computers has it been opened on?
- If it executed, what did it do?
Most organizations never pursue questions like this. Who has the time or the resources? And most of the information required to answer those questions was never captured in the first place.
At the very least, this leads to repeated infections and quarantining because the AV technology detects the malware but not the “dropper.” So, the file continues to show up on that (or different) systems, consuming IT security staff time and increasing the chance that it will finally get a chance to run.
Bit9 + Carbon Black’s integration with SCEP enables SCEP to notify the Bit9 security platform when known malware is detected. Bit9 then correlates that event with data its agent has collected on that endpoint (as well as others) to help you investigate the scope of the attack. After finding out how the malware was dropped in the first place, you may be able to remediate the problem and prevent future infections from parent processes. You may even uncover a much bigger problem.
Bit9 + Carbon Black also adds value to EMET users. EMET provides some highly advanced hardening to protect applications from: memory attacks such as heap spraying, structured exception handling overwrites, return oriented programming, and DLL injection. But EMET-protected systems are basically islands in terms of monitoring and management.
It’s not easy to answer:
- Where is EMET deployed?
- Where is it missing?
- Which applications is EMET protecting and how is it configured?
- When and where is EMET detecting attacks and shutting down applications?
That last one is a particularly big question because if EMET is responding to a false positive, you need to know that before it finally filters to you through end-user support and your business is at a standstill because of your security software.
On the other hand, if EMET is doing its job and stopping an attack that’s evaded your other layers of defense, you need to know about it as soon as possible so that you can track down the source and prevent other systems (such as non-EMET-protected computers) from being hacked.
Carbon Black’s integration with EMET addresses these issues and enables you to deploy and manage EMET centrally from the Carbon Black console.
You can learn more about Bit9 + Carbon Black’s integration with MS technologies at https://www.carbonblack.com/partners/microsoft/#overview.